Draft Recommendation of the Committee of Ministers to member states on the protection of human rights with regard to social networking services

SOCIAL NETWORKS AS HUMAN RIGHTS ENABLERS AND CATALYST FOR DEMOCRACY 1. Social networking services are an important part of growing numbers of people’s daily lives. They are a tool for expression and communication between individuals, and also for direct mass communication or mass communication in aggregate. This complexity gives operators of social networking services or platforms a great potential to promote the exercise and enjoyment of human rights and fundamental freedoms, in particular the freedom to express, to create and to exchange content and ideas, and the freedom of assembly.

2.The increasingly prominent role of social networking services and other social media services also offer great possibilities for enhancing the potential for the participation of individuals in political, social and cultural life. The Committee of Ministers has acknowledged the public service value of the Internet in that, together with other ICT services, they serve to promote the exercise and enjoyment of human rights and fundamental freedoms for all who use them. As part of the public service value of the Internet these social networking services can facilitate democracy and social cohesion.

HUMAN RIGHTS MAY BE CHALLENGED ON SOCIAL NETWORKS 3. Freedom of expression and information, as well as the right to private life and human dignity may also be challenged on social networking services, which can also shelter discriminatory practices. Threats may, in particular, arise from: lack of legal, including procedural, safeguards surrounding processes that can lead to the exclusion of users; inadequate protection of children and young people against harmful content or behaviours; breach of other people’s rights; lack of privacy-friendly default settings;lack of transparency about the purposes for which personal data are collected and processed.

4. Users of social networking services should respect other people’s rights and freedoms. Media education is particularly important in the context of social networking services in order to make the users aware of their rights when using these tools, and also help them acquire or reinforce human rights values and develop the behaviour necessary to respect other people’s rights and freedoms.

PROVIDERS SHOULD RESPECT HUMAN RIGHTS AND THE RULE OF LAW 5. A number of co- and self-regulatory mechanisms have already been set up in some Council of Europe member states in connection with standards for the use of social networking. It is important that procedural safeguards are respected by these mechanisms, in line with the right to be heard and to review or appeal of decisions, including in appropriate case the right to fair trial, within reasonable time, and starting with the presumption of innocence.

6. The Committee of Ministers, under the terms of Article 15. b of the Statute of the Council of Europe, recommends that member states, in cooperation with private sector actors and civil society, develop and promote coherent strategies to protect and promote respect for human rights with regard to social networking services, in line with the European Convention on Human Rights (ETS No. 5), especially Article 8 (Right to respect for private and family life), Article 10 (Freedom of expression) and Article 11 (Freedom of assembly and association) and with the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108), in particular by:

PROVIDING AN ENABLING ENVIRONMENT FOR USERS of social networks that offers opportunities to further exercise their rights and freedoms.

RAISING USER’S AWARENESS, by means of clear and understandable language, of the possible challenges to their human rights and the ways to avoid having negative impact on other people’s rights when using these services.

PROTECTING USERS FROM HARM without limiting freedom of expression and access to information.

ENCOURAGING TRANSPARENCY ABOUT DATA PROCESSING, and preventing the illegitimate processing of personal data.

ENCOURAGING THE PROVIDERS OF SOCIAL NETWORKING SERVICES TO SET UP SELF-REGULATORY MECHANISMS, and engage in dialogue with them about the setting up of co-regulatory mechanisms where appropriate in order to contribute to the respect of the principles set out in the Appendix to this Recommendation.

TAKING MEASURES in line with the principles set out in the Appendix to this Recommendation.

BRINGING THIS RECOMMENDATION and its Appendix to the attention of all relevant public authorities and private sector actors, in particular social networking providers, and civil society.

Appendix to the Recommendation
I. ESSENTIAL INFORMATION AND MEASURES NEEDED TO HELP USERS DEAL WITH SOCIAL NETWORKS

Context and challenges:1. Social networking services offer the possibility to both receive and impart information. Users can invite recipients on an individual basis, but in most cases the recipients are a dynamic group of people, sometimes even a “mass” of unknown people (all the members of the social network). In cases where users’ profiles are indexed by search engines, there is potentially unlimited access to parts of or all information published on their profiles.

2. It is important for users to be able to feel confident that the information they share will be processed appropriately. They should know whether this information has a public or private character and be aware of the implications that follow from choosing to make information public. In particular, children, especially teenagers, and other categories of vulnerable people need guidance in order to be able to manage their profiles and understand the impact that the publication of information of a private nature could have, in order to prevent harm to themselves and others.

Action:
3. Member states should engage in cooperation with the private sector and civil society with a view to upholding users’ right to freedom of expression, in particular by:

HELPING USERS UNDERSTAND THE DEFAULT SETTINGS OF THEIR PROFILES. The default setting for users should be that access by third parties is limited to self-selected contacts identified by the user1. Users should be able to make an informed decision to grant access to a larger public, in particular with regard to the indexability by external search engines. In this connection, the social networking service should:

- inform users of the consequences of open access (in time and geographically) to their profiles and communications, in particular explaining the differences between private and public communication and the consequences of making information publicly available including unrestricted access to, and collection of, data by third parties;

- make it clear to the users – offering accessible tools – that they retain the right to limit access to their data, including removal from archives and search engine caches;

- offer adequate, refined possibilities to the user to “opt in” in order to consent to wider access by third parties.

ENABLING USERS TO CONTROL THEIR INFORMATION. This includes that users are informed about the need to obtain the prior consent of other people before they publish their personal data, including audio and video content, in cases where they have widened access beyond self-selected contacts; how to completely delete their profiles and all data stored about and from them in a social networking service; how to use a pseudonym.

Users should always be able to withdraw consent to the processing of their personal data. Before terminating their account, users should be able to easily and freely move the data they have uploaded to another service or device, in a usable format. Upon termination, all data from and about the users should be permanently eliminated from the storage media of the social networking service. When allowing third party applications to access users’ personal data, the services must provide sufficiently multi-layered access to allow users to specifically consent to access to different kinds of data.

HELPING USERS MAKE INFORMED CHOICES ABOUT THEIR ONLINE IDENTITY. The practice of pseudonymous profiles offers both opportunities and challenges for human rights. In its Declaration on freedom of communication on the Internet (adopted on 28 May 2003), the Committee of Ministers stressed that “in order to ensure protection against online surveillance and to enhance the free expression of information and ideas, member states should respect the will of users of the Internet not to disclose their identity”. The right of being able to use a pseudonym should be guaranteed both from the perspective of free expression and the right to impart and receive information and ideas and from the perspective of the right to private life. In the event that a social networking service requires real identity registration, the publication of that real identity on the internet should be optional for users. This does not prevent law enforcement to gain access to the real identity when necessary and subject to appropriate legal safeguards guaranteeing the respect of fundamental rights and freedoms.

PROVIDING USERS WITH CONCISE EXPLANATIONS OF THE TERMS AND CONDITIONS of social networking services in a form and language that is geared to, and easily understandable by, the target groups of the social networking services.

FOSTERING AWARENESS INITIATIVES for parents, carers and educators to supplement information provided by the social networking service, in particular in respect of much younger children in case they participate in social networks.

PROVIDING USERS WITH CLEAR INFORMATION about the editorial policy of the social networking service provider in respect of how it deals with apparently illegal content and what he considers inappropriate content and behaviour on the network.

II. PROTECTION OF CHILDREN AGAINST HARMFUL CONTENT AND BEHAVIOUR

Context and challenges:4. Freedom of expression includes the freedom to impart and receive information which may be shocking, disturbing and offensive. Content that is unsuitable for particular age groups may well also be protected under Article 10 of the European Convention on Human Rights, albeit subject to conditions as to its distribution.

5. Social networking services play an increasingly important role in the life of children, as part of the development of their own personality and identity, and as part of their participation in debates and social activities.

6. Against this background, there is a need to protect children because of the inherent vulnerability that their age implies. Parents, carers and educators should play a primary role in working with children to ensure that they use these services in an appropriate manner.

7. While not being required to control, supervise and/or rate all content uploaded by its users, social networking service providers may be required to adopt certain precautionary measures (e.g. comparable to “top shelf” rules applicable in certain member states) or take diligent action in response to complaints (ex-post moderation).

8. Age-verification systems are often referred to as a possible solution for protecting children from content that may be harmful to them. However, at present there is no single technical solution for online age verification that does not infringe on other human rights and/or is not exposed to age falsification.

Action:9. In cooperation with the private sector and civil society, member states should take appropriate measures to ensure children’s safety and protect their dignitywhile also guaranteeing procedural safeguards and the right to freedom of expression and access to information, in particular by:

PROVIDING CLEAR INFORMATION about the kinds of content or content-sharing or conducts that may be contrary to applicable legal provisions.

PROVIDING CLEAR GUIDANCE to social networking service providers in connection with their editorial policies so that relevant content or behaviour can be defined as “inappropriate” in the terms and conditions of use of the social networking service, while ensuring that this approach does not restrict the right to freedom of expression and information in the terms guaranteed by the European Convention on Human Rights.

ENCOURAGING THE ESTABLISHMENT OF TRANSPARENT COOPERATION MECHANISMS for law enforcement bodies and social networking services. This should include attention to respect for the procedural safeguards required under Article 8, Article 10 and Article 11 of European Convention on Human Rights.

ENCOURAGING THE SETTING-UP OF EASILY ACCESSIBLE MECHANISMS FOR REPORTING inappropriate or illegal content or behaviour posted on social networks.

SHARING BEST PRACTICE ON WAYS TO PREVENT CYBER-BULLYING AND CYBER-GROOMING. In this connection, age-differentiated access should be treated carefully as a best effort that is based on age provided by children themselves.

ENSURING RESPECT FOR ARTICLE 10, PARAGRAPH 2, of the European Convention on Human Rights. This includes refraining from the general blocking and filtering of offensive of harmful content in a way that would hamper its access by users. In this connection, the Recommendation (2008)6 of the Committee of Ministers on internet filters should be implemented with a view to ensuring that any decisions to block or delete content should be taken in accordance with such principles. Transparent voluntary individual filtering mechanisms are also to be encouraged.

III. PERSONAL DATA AND TRUST IN SOCIAL NETWORKS

Context and challenges:10. Social networking services process large amounts of personal data, including users’ profiling data and traffic data. Publishing personal data in a profile can lead to access by third parties,including, amongst others, employers, insurance companies, law enforcement agencies and security services.
11. Social networking services should not process personal data beyond the legitimate and specified purposes for which they have collected it. They should limit processing only to that data which is strictly necessary for the agreed purpose, and for as short a time as possible.
12. Social networking services must seek the informed consent of users if they wish to process new data about them, share their data with other categories of people or companies and/or use their data in ways other than those necessary for the specified purposes they were originally collected for. As stated in Recommendation (2010)13 on the protection of individuals with regard to automatic processing of personal data in the context of profiling, users should be informed where their personal data is used in the context of profiling. The user’s decision (refusal or consent) should not have any effect on the continued availability of the service to him or her. When allowing third party applications to access users’ personal data, the services must provide sufficiently multi-layered access to allow users to specifically consent to access to different kinds of data.
Action:13. In cooperation with the private sector and civil society, member states, in addition to the measures stated in section I of this Appendix, should work with operators of social networks to ensure that users’ right to private life is protected, in particular by:

PROMOTING BEST PRACTICES FOR USERS. This includes default privacy-friendly settings that limit access to self-selected contacts, the application of the most appropriate security measures, informed consent of users before personal data is disseminated, the sharing of personal data with other categories of people or (categories of) companies and/or use their data in other new ways.

ENSURING THAT USERS ARE ABLE TO EFFECTIVELY EXERCISE THEIR RIGHTS by offering, amongst other things, a clear user interface, and sufficiently multi-layered access for third parties.
ENSURING THAT SENSITIVE DATA HAVE ENHANCED PROTECTION. The use of techniques that may have a significant impact on users’ privacy, where for instance processing involves sensitive or biometric data (such as facial recognition), requires enhanced protection and should not be activated by default.
ENSURING THAT PROVIDERS APPLY THE MOST APPROPRIATE SECURITY MEASURES to protect personal data against unlawful access by third parties. This should include measures for the end-to-end encryption of communication between the user and the social networking services website. In case there is no applicable data-breach legislation, social networking services should report personal data breaches to their users, to enable them to take preventive measures, such as changing their password and/or keeping a close eye on their financial transactions (where the providers are in possession of bank or credit card details).
ENCOURAGING “PRIVACY BY DESIGN”. Social networking services should be encouraged to address data protection needs at the stage of conception of their services or products and continuously assess the privacy impact of changes to existing services with a view to strengthening security and users' control of their personal data.

PROTECTING THIRD PARTIES who are associated by the users of social networks.
Non-users of the social network may also be affected by the disclosures of users of social networking services or by use of their data by the social networking service itself. They should have effective means of exercise their rights without having to become a member of the service and/or otherwise provide excessive personal data. Social networking service providers should refrain from collecting and processing personal data about non-users, for example e-mail addressesand biometric data (e.g. photographs). Users should be made aware of the obligations they have towards other individuals and, in particular, that the publication of personal data related to other people must respect the rights of those individuals.

ENSURING THAT PROCESSING OF PERSONAL DATA STEMMING FROM SOCIAL NETWORKS FOR LAW ENFORCEMENT PURPOSES RESPECT ARTICLE 8 of the European Convention on Humar Rights. Enforcing applicable data protection standards is essential. This includes ensuring that the processing of personal data stemming from the use of social networking services for law enforcement purposes is carried out only within an appropriate legal framework, or following specific orders or instructions from the competent public authority made in accordance with the law.
ENSURING THAT APPLICABLE LAW AND JURISDICTION ARE CLEAR AND CERTAIN. Users should be informed as to what law is applicable in the execution of the social networking services and the related processing of their personal data. Provisions in the terms and conditions of use or service involving an opportunistic or convenience choice of forum or jurisdiction should be regarded as void if there is no reasonable link to the forum or jurisdiction in question; the user’s forum or jurisdiction would be preferable in cases where a significant number of users are present in a particular territory.
ENSURING THAT USERS ARE AWARE OF THE CHALLENGES TO THEIR HUMAN RIGHTS and able to seek redress when they have been adversely affected. Users should be informed about possible challenges to their right to private life, not only in the social networking services’ core conditions (including when changes are made to general terms of service), but every time such a challenge may arise, for example, when the users make information on their profile available to new (groups of) users or when they install a third party application.

Users should be informed about the processing of their personal data, including the existence of, and means of exercising their rights (i.e. access, rectification, erasure), in a clear and understandable manner and in language geared to the target audience.

In addition to applicable legal provisions, appropriate complaint handling mechanisms should be guaranteed against abusive behaviour of users, in particular with regard to identity theft.

1 See Article 29 Data Protection Working Party Opinion 5/2009 (12 June 2009); 30th International Conference of Data Protection and Privacy Commissioners Resolution on Privacy Protection in Social Network Services (Strasbourg 17 October 2008); International Working Group on data Protection in Telecommunications (IWGDPT) “Rome Memorandum” (Rome on 3-4 March 2008).